CG-NAT
NAT/CG-NAT significantly expands existing networks’ capacities. As today the limit of IPv4 addresses is almost over, the transition to IPv6 is inevitable. The rapid growth of mobile devices and cloud services in use makes this task even more urgent.
IPv4 addresses from the regional Internet registries (RIR) are no longer available. The only way is: to purchase a large pool of IPv4 addresses from a broker. This makes single IPv4 address cost raising constantly.
Stingray SG solution is designed for telecom operators and Internet service providers; it is also the suitable replacement of NAT equipment in corporate networks. Having a range of functions and possibilities, Stingray is to fit any growing network and to adapt to it.
Using Carrier Grade NAT (CGN or CG-NAT) or Large Scale NAT (LSN), an ISP is capable of:
Provide one public IPv4 address to several subscribers without loss of Internet connection quality — up to 100 private IP addresses can be placed behind one public IP address (ideal ratio — 1:10)
Extend the use of limited IPv4 address space and reduce the cost of buying IPv4 addresses by 90%
Prepare for the implementation of IPv6 addressing by supporting Dual Stack v4-v6 (support for both protocol versions at the same time)
Specifics
The CG-NAT function uses Full Cone NAT technology, which allows sending packets coming from any external system via an external displayed TCP/UDP port, which is a source of traffic from the subscriber.
Subscribers inside the NAT access each other’s public addresses without translating and forwarding packets outside the device.
A limit of the number of TCP and UDP connections per subscriber is set individually for each IP address pool, which allows the operator to sparingly allocate address space resources between corporate and private clients. In the absence of activity, unused connections are closed, freeing up ports.
All subscriber connections from one IP-private internal address are bound to one external address.
Network translations are recorded in a text file or transmitted to an external collector via the IPFIX protocol (also known as NetFlow v10).
The platform supports up to 128 million simultaneous sessions in each hardware and software system and handles traffic up to 120 Gbps.
Predictable NAT behavior is provided by the Full Cone and HairPinning functions. User quotas ensure an even distribution of public IP ports between subscribers, and viruses and malware cannot deplete their resources.
It is important for operators to maintain connectivity for all application services and users while ensuring application integrity. ALG ensures that protocols — such as FTP, TFTP, RTSP, PPTP, SIP, ICMP, H.323, ESP, MGCP and DNS — remain operational. Many legacy NAT implementations do not provide this level of transparency.
Integrated protection prevents the passage of a huge volume of traffic of multiple-vector DDoS attacks. The CG-NAT solution ensures maximum operability of network resources for processing subscriber traffic and preventing service interruptions.
In CG-NAT, VLAN support saves ports in the operator’s equipment and increases the efficiency of using NIC. This makes it possible to determine downstream and upstream traffic not by NIC, but by VLAN ID, which in turn makes it possible to use the same network interface card for both downstream and upstream traffic. This option is especially effective when used together with LACP.
Link Aggregation Control Protocol allows you to combine several physical ports to form a single logical channel and increase fault tolerance.
With an increase in the number of subscribers and the volume of traffic being transmitted, it is possible to dynamically scale and boost bandwidth by upgrading the server or increasing the number of virtual NATs in the Telco Cloud.
The reliability of the solution is guaranteed by using the standby modes Active-Standby and Active-Active. In both variants, two devices are involved: if the first one (active) fails, then traffic is switched to the second one without loss using routing protocols.
Types
The VAS Experts solution supports:
CG-NAT (NAT44)
Network address and port translation allows multiple subscribers to share a single IPv4 public address and expands the use of a limited IPv4 address space.
BiNAT (NAT1:1)
1-to-1 network address translation allows you to provide a static public IP address service without changing the settings on the CPE through the translation of all ports of the private address into one public address.
Implementation notes
- To be able to perform as CG-NAT, Stingray SG needs to be switched in in-line mode.
- To activate CG-NAT function, Stingray BRAS or COMPLETE license is required.
- The reserve Stingray system is recommended to ensure fail-proof.
- Factual performance of address translation function can vary from 6 to 200 Gbps (it depends on the chosen hardware platform and the type of Stingray software license.)
Implementation options
The classic pattern for connecting a CG-NAT device to a network — between BNG and a router to ensure the translation of network addresses. The NAT log is transmitted via IPFIX protocol (NetFlow v10) to a dedicated server or VM where the QoE Stor database and GUI are installed. This solution allows you to efficiently store and search in the NAT log.
We propose to combine the functions of CG-NAT with DPI on one device in order to be able not only to broadcast addresses, but also to recognize and classify traffic by protocols and directions, use policing of a common channel, sector traffic, work with statistics (Full NetFlow and Clickstream).
Additional information about subscribers is used by sales, marketing and technical support departments.
The best option is to combine the functions of CG-NAT, DPI and BNG on one device and thus build a flexible and easily managed network core — this significantly reduces the total cost of ownership (TCO) due to compactness, high performance, uniform management and operation.
In this pattern, in addition to network address translation and deep traffic analysis, IPoE/PPPoE authorization of subscribers, BGP/OSPF is also implemented, integration with billing (AAA) is carried out via PCRF.
Advantages of DPI-based CG-NAT
- Complies with industry standards defined in RFC 6888 (Common Requirements for Carrier-Grade NATs (CGNs)), RFC 4787 (Network Address Translation (NAT) Behavioral Requirements for Unicast UDP)
- Effectively uses the limited IPv4 addressing space. IPv4 network infrastructure may remain in service longer – to maintain continuous availability and reliability of critically important applications and services
- High performance: the platform supports up to 128 million simultaneous sessions
- Smooth transition to IPv6 is possible, via tunneling support between IPv4 and IPv6 networks
- The product is easy to scale dynamically and to increase throughput without interrupting traffic
- Allows to limit number of TCP and UDP ports for the subscriber, providing DDoS protection and network security
- A complete set of DPI platform tools and options with centralized management, which allows lowering both capital and operating expenses and running the network efficiently